@rizom/ops 0.2.0-alpha.41 → 0.2.0-alpha.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +1 -1
  2. package/dist/brains-ops.js +75 -75
  3. package/dist/content-repo.d.ts +1 -0
  4. package/dist/index.js +75 -75
  5. package/dist/schema.d.ts +3 -0
  6. package/package.json +1 -1
  7. package/templates/rover-pilot/.env.schema +6 -0
  8. package/templates/rover-pilot/README.md +2 -1
  9. package/templates/rover-pilot/docs/onboarding-checklist.md +3 -2
  10. package/templates/rover-pilot/pilot.yaml +1 -0
package/dist/schema.d.ts CHANGED
@@ -14,6 +14,7 @@ export declare const pilotSchema: z.ZodObject<{
14
14
  preset: z.ZodEnum<["core", "default", "pro"]>;
15
15
  aiApiKey: z.ZodString;
16
16
  gitSyncToken: z.ZodString;
17
+ contentRepoAdminToken: z.ZodString;
17
18
  mcpAuthToken: z.ZodString;
18
19
  agePublicKey: z.ZodString;
19
20
  }, "strict", z.ZodTypeAny, {
@@ -27,6 +28,7 @@ export declare const pilotSchema: z.ZodObject<{
27
28
  preset: "default" | "core" | "pro";
28
29
  aiApiKey: string;
29
30
  gitSyncToken: string;
31
+ contentRepoAdminToken: string;
30
32
  mcpAuthToken: string;
31
33
  }, {
32
34
  agePublicKey: string;
@@ -39,6 +41,7 @@ export declare const pilotSchema: z.ZodObject<{
39
41
  preset: "default" | "core" | "pro";
40
42
  aiApiKey: string;
41
43
  gitSyncToken: string;
44
+ contentRepoAdminToken: string;
42
45
  mcpAuthToken: string;
43
46
  }>;
44
47
  export declare const userSchema: z.ZodObject<{
package/package.json CHANGED
@@ -4,7 +4,7 @@
4
4
  "publishConfig": {
5
5
  "access": "public"
6
6
  },
7
- "version": "0.2.0-alpha.41",
7
+ "version": "0.2.0-alpha.43",
8
8
  "type": "module",
9
9
  "exports": {
10
10
  ".": {
package/templates/rover-pilot/.env.schema CHANGED
@@ -14,6 +14,12 @@ AI_API_KEY=
14
14
  # @required @sensitive
15
15
  GIT_SYNC_TOKEN=
16
16
 
17
+ # Content repo administration
18
+ # Local/operator secret only. Used by brains-ops to create missing GitHub repos;
19
+ # do not deploy it into Rover runtime config.
20
+ # @required @sensitive
21
+ CONTENT_REPO_ADMIN_TOKEN=
22
+
17
23
  # MCP interface
18
24
  # Comes from the decrypted users/<handle>.secrets.yaml.age file.
19
25
  # @required @sensitive
package/templates/rover-pilot/README.md CHANGED
@@ -29,6 +29,7 @@ The repo also checks in its deploy contract:
29
29
  - `.github/workflows/*`
30
30
 
31
31
  `.env.schema` is the single source of truth for required and sensitive deploy vars.
32
+ Use separate GitHub tokens: `CONTENT_REPO_ADMIN_TOKEN` for operator-side content repo creation/checks, and `GIT_SYNC_TOKEN` for runtime directory-sync git access.
32
33
  The shared pilot image tag is `brain-${brainVersion}` end to end.
33
34
  When `pilot.yaml.brainVersion` changes and you push, CI rebuilds the shared tag, refreshes generated user env files, and redeploys affected users.
34
35
  When a push changes only deploy contract files, CI prints `No affected user configs; skipping deploy.` and stops before Kamal.
@@ -38,7 +39,7 @@ When a push changes only deploy contract files, CI prints `No affected user conf
38
39
  - `brains-ops init <repo>`
39
40
  - `brains-ops render <repo>` — regenerates `views/users.md` with live DNS, `/health`, and unauthenticated `/mcp` status checks
40
41
  - `brains-ops user:add <repo> <handle> --cohort <cohort>` — scaffolds a user file, per-user secrets template, and cohort membership
41
- - `brains-ops onboard <repo> <handle>`
42
+ - `brains-ops onboard <repo> <handle>` — creates/seeds the user's content repo with separate admin and sync tokens
42
43
  - `brains-ops age-key:bootstrap <repo>`
43
44
  - `brains-ops ssh-key:bootstrap <repo>`
44
45
  - `brains-ops cert:bootstrap <repo>`
package/templates/rover-pilot/docs/onboarding-checklist.md CHANGED
@@ -4,7 +4,8 @@
4
4
  2. Run `bunx brains-ops age-key:bootstrap <repo> --push-to gh`.
5
5
  3. Fill in `pilot.yaml`.
6
6
  - keep your pinned `brainVersion`
7
- - confirm shared selectors for `aiApiKey`, `gitSyncToken`, and `mcpAuthToken`
7
+ - confirm shared selectors for `aiApiKey`, `gitSyncToken`, `contentRepoAdminToken`, and `mcpAuthToken`
8
+ - use different tokens for `contentRepoAdminToken` and `gitSyncToken`: admin creates/checks content repos; sync is used by runtime directory-sync
8
9
  - confirm `agePublicKey`
9
10
  4. Run `bunx brains-ops user:add <repo> <handle> --cohort <cohort>`.
10
11
  - Discord is enabled by default for pilot users.
@@ -14,7 +15,7 @@
14
15
  6. Run `bunx brains-ops render <repo>`.
15
16
  7. Run `bunx brains-ops ssh-key:bootstrap <repo> --push-to gh`.
16
17
  8. Run `bunx brains-ops cert:bootstrap <repo> --push-to gh`.
17
- 9. Keep raw user secret material locally for now (`.env.local`, file-backed env vars, or equivalent local inputs).
18
+ 9. Keep raw user secret material locally for now (`.env.local`, file-backed env vars, or equivalent local inputs), including `CONTENT_REPO_ADMIN_TOKEN` for operator onboarding.
18
19
  10. Run `bunx brains-ops secrets:encrypt <repo> <handle>`.
19
20
  11. Commit and push `users/<handle>.secrets.yaml.age`.
20
21
  12. Run `bunx brains-ops onboard <repo> <handle>`.
package/templates/rover-pilot/pilot.yaml CHANGED
@@ -7,5 +7,6 @@ domainSuffix: .rizom.ai
7
7
  preset: core
8
8
  aiApiKey: AI_API_KEY
9
9
  gitSyncToken: GIT_SYNC_TOKEN
10
+ contentRepoAdminToken: CONTENT_REPO_ADMIN_TOKEN
10
11
  mcpAuthToken: MCP_AUTH_TOKEN
11
12
  agePublicKey: age1replace-with-your-public-key